From 6db06749e2037029adc96660aafa5339ed609e60 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Thu, 5 Sep 2019 18:42:49 +0200
Subject: Fix whitelisting of JavaScript-uris by CSP hash.

---
 dom/security/nsCSPContext.cpp | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'dom/security/nsCSPContext.cpp')

diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 65be02809..56a119e1a 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
   for (uint32_t i = 0; i < mPolicies.Length(); i++) {
     bool allowed =
       mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) ||
-      mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) ||
-      mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+      mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated);
+      
+    // If the inlined script or style is allowed by either unsafe-inline or the
+    // nonce, go ahead and shortcut this loop.
+    if (allowed) {
+      continue;
+    }
+    
+    // Check if the csp-hash matches against the hash of the script.
+    // If we don't have any content to check, block the script.
+    if (!aContent.IsEmpty()) {
+      allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+    }
 
     if (!allowed) {
       // policy is violoated: deny the load unless policy is report only and
-- 
cgit v1.2.3